All online businesses operating in the EU must comply with PSD2 (or Payment Service Directive 2nd edition) requirements. These include SСA (or Strong Customer Authentication) and 3D Secure compliance. While these terms are interconnected, in no way they are interchangeable. This article explains the connection and differences between PSD2, SCA, and 3D Secure in terms of fraud prevention, based on Covery’s know-how and insights.
As enterprise-grade risk management and fraud prevention platform, Covery has a comprehensive understanding and experience in ensuring regulatory compliance. We help our customers mitigate risks, detect and prevent various fraud schemes, and automate chargeback solutions all the while remaining compliant with regulatory legislation.
What are PSD2 and SCA?
PSD2 is a 2nd edition of the Payment Service Directive from 2007, which was enacted in 2016. It aims to provide transparent and unified payments service rules across the EU to ensure open banking, transparency of interaction between market players, better customer data protection and foster better collaboration by making it easier for new entrants to join the market.
PSD2 provides sets of rules for key aspects of financial services:
- licensing for payment institutions regarding account information provisioning and payment initiation to ensure “open banking”
- transparency of all charges related to payment processing (no hidden fees)
- clear rights and obligations between providers and consumers of financial services
- strong security requirements to safeguard financial transactions and customer data (Strong Customer Authentication) in order to reduce the risk of fraud
As you can see, PSD2 is an overarching regulatory document, while SCA is one of its main components.
SCA is the process of verifying the customer’s identity based on using two or more independent pieces of knowledge (what the user knows), possession (what the user has), and inherence (what the user is). This way, even if one or more of these pieces of information is compromised, the security of customers’ authentication data is still intact.
In everyday life, SCA includes secret questions like your first pet’s name, sending one-time passwords in SMS, biometric identification with fingerprints or through eye iris scans, and any other method technically applicable to secure financial transactions.
What are SCA and 3DS?
As you can see, SCA is a general requirement for enabling multi-factor verification, which combines two or more pieces of customer-specific information. Many users think it applies to 3DS (or 3D Secure), but it is actually different.
3DS stands for 3 domains secure, meaning that an additional layer of security is added to online transactions. For example, a merchant might forward a customer to their bank’s login page to enter their card’s PIN code or One Time password sent via SMS. This shifts the liability for transactions from the merchant to the bank and ensures a customer has access to both their credentials and phone.
Is 3D Secure the same as SCA?
As shown above, while 3D Secure uses SCA rules and logic, it actually isn’t the same term. While SCA is the regulatory concept, 3DS 2.0 is a practical protocol of its implementation, designed by major card processing providers to ensure PSD2 compliance.
3DS 2.0 is a particular case of SCA implementation, adaptable to changing technology. Nowadays, it mostly uses OTP sent to users’ mobile devices or other textual or voice identification methods. However, it can also use biometric identification, should fingerprint or eye iris scanning technologies become more popular and widespread on mobile devices.
Conclusions
Now you know what do PSD2, SCA and 3D Secure 2.0 terms mean. While the first two stand for legal concepts and rule sets, the latter is the practical implementation of these principles. All three are essential for successful and secure financial operations, but while PSD2 and SCA compliance is achieved once, 3DS 2.0 is a tool for daily use that continuously ensures the security of your transactions.
Covery is an anti-fraud system popular across the US, EU, and Asia. As a comprehensive anti-fraud tool with chargeback solutions, Covery is capable of implementing any transaction security and fraud prevention logic. As of 2022, Covery confirmed GDPR, ISO 27001, and PSD2 compliance to ensure customer data security and transparency of operations. Should you want to learn more about the value we can provide, contact us for a free demo!